Skip to main content

Week 3

(June,15,2023)

Updates:

This week, my work on the project primarily involved three main components:

  • Researching and studying the details of CycloneDX reports:
    • I explored into the CycloneDX schema, which helped me understand the specific data that can and cannot be included in the reports generated by FOSSology.
    • Additionally, I successfully mapped the required data fields between SPDX and CycloneDX reports.
  • Generating a CycloneDX report:
    • I focused on generating the report in JSON format, and I accomplished this task successfully.
    • Here is an example of the report generated:
        {
    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "version": 0,
    "$schema": "https://cyclonedx.org/schema/bom/1.4/schema.json",
    "serialNumber": "urn:uuid:BomRef.6-4881-a807-a47d-7.16459827",
    "metadata": {
    "timestamp": "2023-06-13T12:58:00+05:30",
    "tools": [
    {
    "vendor": "FOSSology",
    "name": "FOSSology",
    "version": "1.0.0"
    }
    ]
    },
    "components": [
    {
    "type": "file",
    "name": "File 1",
    "mime-type": "application/octet-stream",
    "bom-ref": "ABCDEF123",
    "supplier": {
    "name": "Supplier 1",
    "url": [],
    "contact": []
    }
    "scope": "required",
    "hashes": [],
    "licenses": [
    {
    "license": {
    "id": "License1",
    "name": "License 1",
    "text": {
    "content": "TGljZW5zZSB0ZXh0IDE=",
    "contentType": "text/plain",
    "encoding": "base64"
    },
    "url": "https://example.com/license1"
    },
    "expression": "License expression 1"
    },
    {
    "license": {
    "id": "License2",
    "name": "License 2",
    "text": {
    "content": "TGljZW5zZSB0ZXh0IDI=",
    "contentType": "text/plain",
    "encoding": "base64"
    },
    "url": "https://example.com/license2"
    },
    "expression": "License expression 2"
    }
    ],
    "copyright": "Copyright 1"
    },
    {
    "type": "file",
    "name": "File 2",
    "mime-type": "application/octet-stream",
    "bom-ref": "ABCDEF456",
    "supplier": {
    "name": "Supplier 2",
    "url": [],
    "contact": []
    },
    "scope": "required",
    "hashes": [],
    "licenses": [
    {
    "license": {
    "id": "License3",
    "name": "License 3",
    "text": {
    "content": "TGljZW5zZSB0ZXh0IDM=",
    "contentType": "text/plain",
    "encoding": "base64"
    },
    "url": "https://example.com/license3"
    },
    "expression": "License expression 3"
    }
    ],
    "copyright": "Copyright 2"
    }
    ]
    }
    • It's important to note that the data in the above report is not sourced from FOSSology. However, all the fields can be populated with data from the FOSSology database.
    • The report primarily emphasizes the components of an upload. While the CycloneDX specification allows for various types of components such as Application, Container, Device, Library, File, Firmware, Framework, and Operating System, we only need to include File components in FOSSology reports.
  • Validating the report:
    • I developed a simple PHP code that can be utilized to validate the report against the CycloneDX schema.
    • Here is the function that validates the report:
        function validateJSONAgainstSchema($jsonFile, $schemaFile)
    {
    $jsonString = file_get_contents($jsonFile);
    $schemaString = file_get_contents($schemaFile);

    $jsonData = json_decode($jsonString);
    $schemaData = json_decode($schemaString);

    $validator = new Validator();
    $validator->validate($jsonData, $schemaData);

    if (!$validator->isValid()) {
    $errors = array_map(function ($error) {
    return $error['property'] . ': ' . $error['message'];
    }, $validator->getErrors());

    return $errors;
    }

    return true;
    }

Conclusion and further plans:

  • In the upcoming weeks, I will work on CycloneDX agent implementation in FOSSology.